Last round of fixes (fingers crossed)

* Updated spec use systemd unit file (and removed ensure) * Updated systemd template to have configurable user and group * Updated systemd template to have service options
voxpupuli · Jul 15, 2024 · 1271891 · 1271891
1 parent 4e71a80
commit 1271891
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 19 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -166,13 +166,20 @@
           content => epp(
             'vault/vault.service.epp',
             {
+              user            => $vault::user,
+              group           => $vault::group,
               bin_dir         => $vault::bin_dir,
+              service_options => $vault::service_options,
               config_dir      => $vault::config_dir,
               config_output   => $vault::config_output,
               create_env_file => $vault::create_env_file,
               num_procs       => $vault::num_procs,
+              disable_mlock   => $vault::disable_mlock,
             }
           ),
+          mode    => '0444',
+          owner   => 'root',
+          group   => 'root',
         }
       }
       default: {

diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb
@@ -424,9 +424,8 @@
           context 'RedHat >=7 specific' do
             context 'includes systemd init script' do
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_mode('0444').
-                  with_ensure('file').
                   with_owner('root').
                   with_group('root').
                   with_content(%r{^# vault systemd unit file}).
@@ -454,9 +453,8 @@
               end
 
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_mode('0444').
-                  with_ensure('file').
                   with_owner('root').
                   with_group('root').
                   with_content(%r{^# vault systemd unit file}).
@@ -473,9 +471,8 @@
               end
 
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_mode('0444').
-                  with_ensure('file').
                   with_owner('root').
                   with_group('root').
                   with_content(%r{^# vault systemd unit file}).
@@ -598,11 +595,10 @@
           context 'on Debian based with systemd' do
             context 'includes systemd init script' do
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
-                  with_mode('0444').
-                  with_ensure('file').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_owner('root').
                   with_group('root').
+                  with_mode('0444').
                   with_content(%r{^# vault systemd unit file}).
                   with_content(%r{^User=vault$}).
                   with_content(%r{^Group=vault$}).
@@ -628,9 +624,8 @@
               end
 
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_mode('0444').
-                  with_ensure('file').
                   with_owner('root').
                   with_group('root').
                   with_content(%r{^# vault systemd unit file}).
@@ -647,9 +642,8 @@
               end
 
               it {
-                is_expected.to contain_file('/etc/systemd/system/vault.service').
+                is_expected.to contain_systemd__unit_file('vault.service').
                   with_mode('0444').
-                  with_ensure('file').
                   with_owner('root').
                   with_group('root').
                   with_content(%r{^# vault systemd unit file}).

diff --git a/templates/vault.service.epp b/templates/vault.service.epp
@@ -1,16 +1,20 @@
 <% |
+  String  $user,
+  String  $group,
   String  $bin_dir,
+  String  $service_options = "",
   String  $config_dir,
   String  $config_output,
   Boolean $create_env_file,
   Integer $num_procs,
+  Boolean $disable_mlock = false,
 | %>
 # vault systemd unit file
 ###########################################################################################################
 # this file has been put in place by the jsok/vault Puppet module (https://forge.puppetlabs.com/jsok/vault)
-# any changes will be overwritten if Puppet is run again
-# This script is originally from:
-# https://learn.hashicorp.com/vault/operations/ops-deployment-guide#step-3-configure-systemd
+# any changes will be overwritten if Puppet is run again.
+#
+# This unit file originally from official vault package.
 ###########################################################################################################
 
 [Unit]
@@ -27,18 +31,24 @@ Type=notify
 <%- if $create_env_file == true { -%>
   <%= $config_dir %>/vault.env
 <%- } -%>
-User=vault
-Group=vault
+User=<%= $user %>
+Group=<%= $group %>
 ProtectSystem=full
 ProtectHome=read-only
 PrivateTmp=yes
 PrivateDevices=yes
+<%- if $disable_mlock == true { -%>
+CapabilityBoundingSet=CAP_SYSLOG
+<%- } else { -%>
 SecureBits=keep-caps
+Capabilities=CAP_IPC_LOCK+ep
 AmbientCapabilities=CAP_IPC_LOCK
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+<%- } -%>
+
 NoNewPrivileges=yes
 Environment=GOMAXPROCS=<%= $num_procs %>
-ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %>
+ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %> <%= $service_options %>
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT